Kyverno Version

1.9.2

Kubernetes Version

1.23.x

Kubernetes Platform

EKS

Kyverno Rule Type

Validate

Description

When applying policy that used to have background: false, and check for request.userInfo.groups, but as of latest apply has background: true and no longer has any reference to request.userInfo.groups:

admission webhook "validate-policy.kyverno.svc" denied the request: only select variables are allowed in background mode. Set spec.background=false to disable background mode for this policy rule: variable {{ request.userInfo.groups }} is not allowed

It seems like the validation applier to oldObject, instead of the latest object

Steps to reproduce

1. Create policy that has background: false, and request.userInfo.groups check in preconditions
2. update via apply to background: true, and remove request.userInfo.groups section from preconditions
3. see the error:

for: "../kyverno-applier/kyverno-custom-policies/require_probes/require_probes.yaml": admission webhook "validate-policy.kyverno.svc" denied the request: only select variables are allowed in background mode. Set spec.background=false to disable background mode for this policy rule: variable {{ request.userInfo.groups }} is not allowed

Expected behavior

Policy is allowed to apply, as long as the latest apply doesn't violate background: true and presence of request.userInfo.groups

Screenshots

No response

Kyverno logs

No response

Slack discussion

https://kubernetes.slack.com/archives/CLGR9BJU9/p1681496105313839?thread_ts=1681490191.544979&cid=CLGR9BJU9

Troubleshooting

• I have read and followed the documentation AND the troubleshooting guide.
• I have searched other issues in this repository and mine is not recorded.